• Use vpncmd to configure SoftEther VPN Server:

/opt/softether/vpncmd

• Choose 1 to configure the VPN server,
• The admin console is listening on port 5555. Enter 127.0.0.1:5555 to access the admin console.
• Then press Enter to skip Virtual Hub selection.
• By default, the password for the admin console is empty. Set a password by executing the ServerPasswordSet command.
• Configure virtual hub in SoftEtherVPN. Use the default virtual hub named DEFAULT.

Hub DEFAULT

• Create a VPN account (replace username with your preferred username), and set password:

UserCreate username
UserPasswordSet username

Follow these steps if SecureNAT is chosen instead of Virtual Hub:

• Enable SecureNAT which is paired with DHCP:

SecureNatEnable
DhcpSet

• You will be asked a series of configs. Use the following (example):

Start Point for Distributed Address Band: 192.168.30.10
End Point for Distributed Address Band: 192.168.30.200
Subnet Mask: 255.255.255.0
Lease Limit (Seconds): 7200
Default Gateway: 192.168.30.1
DNS Server 1: 192.168.30.1
DNS server 2: 8.8.8.8
Domain Name: Press Enter to skip.
Save Log: yes

• Log out from the admin console:

exit

Follow these steps if Local Bridge Connection is chosen instead of SecureNAT.

• Disable SecureNAT if it's active:

SecureNatDisable

• Create the Bridge, EtherSoft will add tap_ prefix, and created tap_vpn for the tap device:

BridgeCreate YOUR_HUB_NAME /DEVICE:vpn /TAP:yes

• Log out from the admin console:

exit

• Assign IP address to the tap device using DHCP, follow this guide: DHCP Server
• Enable IP Forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

• Make it permanent by ensuring this parameter net.ipv4.ip_forward=1 on file /etc/sysctl.conf
• On cloud server disable the Reverse Path Filtering (RPF), edit /proc/sys/net/ipv4/conf/ens3/rp_filter make sure the value is 0 (0=disable, 1=strict, 2=loose)

• add this rule to IPTABLE:

sudo iptables -t nat -A POSTROUTING -s 192.168.40.0/24 -o ens3 -j MASQUERADE
sudo iptables -A FORWARD -i tap_vpn -o ens3 -j ACCEPT
sudo iptables -A FORWARD -i ens3 -o tap_vpn -j ACCEPT

• check the IPTABLES rules:

sudo iptables -t nat -L -v -n

• Install this to make the IPTABLES rules persistent:

sudo apt install netfilter-persistent -y

• save the IPTABLES rules:

sudo netfilter-persistent save

• Remember to enable ICMP on Windows if using Windows as the client for testing the ping!
• Some clouds have reverse path filtering activated, check /proc/sys/net/ipv4/conf/tap_vpn/rp_filter
• if the value is 2 (STRICT), set this off (temporary):

sudo sysctl -w net.ipv4.conf.tap_vpn.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.rp_filter=0

• or permanently, by editing /etc/sysctl.conf and change to this:

net.ipv4.conf.tap_vpn.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0